Skip to Content
FAQ COVID-19Emergency Legal Preparedness and ResponseHealth Information and Data Sharing

FAQ: COVID-19 and Health Data Privacy

March 26, 2020

Overview

This FAQ addresses questions of HIPAA compliance and requirements in regards to the COVID-19 pandemic. This FAQ is broken into eight sections:

»     HIPAA Waivers
»     Applicability of HIPAA to Public Health
»     HIPAA Basics
»     Disclosures to the Media
»     Disclosures to First Responders
»     Disclosures to Law Enforcement
»     Disclosures in Judicial and Administrative Proceedings
»     Disclosures in Response to a Freedom of Information Act Request

HIPAA Waivers

Q: Has HHS waived any HIPAA requirements during this COVID-19 pandemic?

A: In response to President Trump’s declaration of a nationwide emergency concerning COVID-19 and HHS Secretary Azar’s declaration of a public health emergency, Secretary Azar issued a limited waiver effective March 15, 2020, waiving sanctions and penalties against a covered hospital that does not comply with specific portions of the HIPAA Privacy Rule.

Q: Has the Office of Civil Rights (OCR), which regulates HIPAA compliance, offered any relief for providers that are serving patients remotely through telehealth services to lessen or prevent the spread of COVID-19?

A: Effective March 17, 2020, OCR issued a Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency. OCR states that it will not impose penalties for noncompliance with HIPAA’s Rules against health care providers in connection with their good faith use of telehealth during the COVID-19 nationwide public health emergency.

On March 20, 2020, OCR issued guidance on telehealth remove communications following its notification of enforcement discretion.

Q: Is the HIPAA Security Rule suspended during a national or public health emergency?

A: No. Within the limited waiver, HHS makes clear that compliance with the HIPAA Security Rule’s administrative, physical and technical safeguards are still required to protect patient information against intentional or unintentional impermissible uses and disclosures. However, the Secretary of HHS has authority to waive sanctions and penalties when the President declares an emergency or disaster and the HHS Secretary declares a public health emergency. Further, OCR evaluates complaints on a case by case basis and exercises its discretion when it takes enforcement action.

Applicability of HIPAA to Public Health

Q: Does HIPAA apply to public health departments?

A: HIPAA applies only to “covered entities” and their business associates.  Covered entities are:

  • Health Plans (includes Blue Cross, commercial insurers, group health plans, HMOs, Medicaid, Medicare)
  • Health care providers that engage in standard electronic transactions with regard to payment
  • Health Care Clearinghouses (companies that translate and reformat electronic transactions)

A health department’s clinic that provides health services to individuals and bills health plans electronically for those services is covered by HIPAA. Even if a health department offers health services, such as vaccinations or sexually transmitted disease screening, in furtherance of health goals, it may be covered by HIPAA. These health services are HIPAA covered if the clinic bills electronically or utilizes any of the standard transactions in the administrative or financial aspects of health care delivery. If a health department operates a health plan, such as Medicaid or the Children’s Health Insurance Program, those relevant components are covered by HIPAA. 

Whether HIPAA applies to a health department’s communicable disease program depends on the organization of the health department and whether it has declared itself a “hybrid entity”, designating covered components and non-covered components.  If the communicable disease program is within the covered component of a hybrid entity or within a fully covered health department, then HIPAA applies to the communicable disease program. For more information about HIPAA coverage assessments of health department and the hybrid entity policy option, read more.

Regardless of HIPAA, health departments must also comply with state laws regarding confidentiality of information.  State confidentiality law may provide for the confidentiality of reports, records, and data pertaining to testing, care, treatment, reporting and research associated with communicable diseases and serious communicable diseases or infections.

HIPAA Basics

Q: Does HIPAA allow providers to report health information to a health department’s communicable disease program without patient authorization?

A: Yes. HIPAA privacy regulations permit “covered entities” (such as hospitals, clinical laboratories, nursing homes, and physicians) to provide protected health information (PHI) to “public health authorities” such as state and local health departments for certain purposes:

  • “A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. . .”
  • “A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.” 45 CFR § 164.512(b). Read more.

Q: When a health department’s clinic or other HIPAA covered program wants to share PHI in an emergency situation, is patient authorization always required?

A: No. HIPAA allows a covered entity to share PHI without authorization for public health activities, as described above; for treatment; to family, friends, and others involved in the individual’s care and for notification; and, to prevent or lessen a serious or imminent threat. Each of these disclosures’ prerequisites, conditions and limitations are described within the limited waiver. For additional information, please see this OCR FAQ regarding information sharing in a severe disaster.

Disclosures to the Media

Q: May health departments release COVID-19 county level case information (number of COVID-19 cases by county) to the press?

A: Generally, the vast majority of state health departments’ disease prevention and control programs are not HIPAA covered. This is to say that most state health departments have chosen the hybrid option under HIPAA and likely have identified their disease prevention and control programs as core public health functions that are not subject to HIPAA. See the discussion above regarding health departments limiting HIPAA’s coverage by becoming a hybrid entity.

However, generally all health departments must comply with state law and other federal law regarding confidentiality of information. State confidentiality law may provide for the confidentiality of reports, records, and data pertaining to testing, care, treatment, reporting and research associated with communicable diseases and serious communicable diseases or infections. Further, health department policy also governs health departments’ disclosures of information to the media regarding COVID-19 and other communicable disease. Relevant law and policy should be consulted.

The Association of State and Territorial Health Officials, the National Association of County & City Health Officials, and the Association of Health Care Journalists developed guidance regarding the release of information concerning deaths, epidemics or emerging diseases. This guidance may assist health departments in determining such questions as whether to include a patient name with a school or whether more general information is appropriate.

This press release reflects how one jurisdiction balances the public’s right to know against an individual’s right to privacy and confidentiality.

For health departments that are fully covered by HIPAA, please see the FAQ below.

Q: Fully HIPAA covered only. May a fully HIPAA covered health department issue a press release to the media or to the public at large about a COVID-19 case and include patient identifiable information or specific treatment information about an identifiable patient such as the COVID-19 test, test results or details of the illness?

A: When a health department’s communicable disease program is covered by HIPAA (see earlier discussion), it may not release patient identifiable information or information about the treatment of an identifiable patient to the media without a signed patient authorization. This guidance is included within HHS’ limited waiver.

Further, all health departments must also comply with state law, other federal law and health department policy regarding confidentiality of information as discussed immediately above. 

Q: Fully HIPAA covered only. May a fully HIPAA covered health department release COVID-19 county level case information (number of COVID-19 cases by county) to the press?

A: A fully HIPAA covered health department may not disclose the number of positive COVID-19 cases by county because this constitutes PHI. HIPAA requires that this disclosure only occur with patient authorization or if the information has been de-identified.  

HIPAA offers two methods of de-identification. The first, known as the Safe Harbor method, is commonly utilized in public health. 45 CFR § 164.514(b)(2). The Safe Harbor method requires removal of any unique identifying numbers, characteristics or codes. For example, the following identifiers must be removed before the information is considered de-identified and may be released: patient name; geographic subdivision smaller than a state, such as county; and any date, except year, such as an approximate date of an individual’s COVID-19 test result. For more information, please see the Network’s De-identification Toolkit.

The second means of de-identifying information is known as the expert method. A fully HIPAA covered health department might utilize a HIPAA expert to evaluate the degree of risk the information proposed to be disclosed, alone or in combination with other reasonably available information, could be used to identify an individual. If the expert concludes that the risk of re-identification is “very small”, the health department may disclose accordingly. The HIPAA expert must document the results. A HIPAA expert is a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable. 45 CFR § 164.514(b)(1). For more information, please refer to the Network for Public Health Law’s quick reference.

Q: Are there alternative ways to support a fully HIPAA covered health department’s decision to release COVID-19 county level case information (number of COVID-19 cases by county) to the press?

A: If a fully HIPAA covered health department cannot take advantage of the two de-identification methods to share the number of positive COVID-19 cases per day, but believes that the information is essential for the people who live in its jurisdiction, it should consider alternatives that would avoid adverse health consequences.

For example, fully HIPAA covered health departments might consider HIPAA’s exception to its general rule of state preemption, which preempts any contrary provision of state law. 45 CFR § 160.203.

Where HIPAA and state law conflict, HIPAA generally preempts state law. But under certain circumstances, HIPAA preemption does not apply where state law provides “for the conduct of public health surveillance, investigation, or intervention.” 45 CFR § 160.203(c). In particular, HIPAA would not control how state and local health departments implement state laws to monitor COVID-19.

Accordingly, the argument is that HIPAA does not limit a health department’s disclosure of information as it conducts COVID-19 related surveillance, investigation, and intervention pursuant to State law. This approach is a novel and emerging legal theory to address the COVID-19 pandemic. Please note that to date, we have identified no OCR guidance to this effect. This emergency situation could not have been anticipated and time is of the essence.

Q: Fully HIPAA covered only. May a fully HIPAA covered health department release COVID-19 county level case information (number of COVID-19 cases by county) to the press to avert a serious threat to public health or safety?

A: HIPAA permits HIPAA covered entities to disclose PHI where the covered entity has a good faith belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Disclosure of a COVID-19 case at the county level is protected PHI. Disclosures to avert a serious threat to health must be consistent with all applicable law, such as state law, and conform to ethical standards. The disclosure must also occur to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. 45 CFR § 164.512(j). Please see the Network for Public Health Law’s discussion of considerations in applying this HIPAA exception to a proposed disclosure of HIPAA protected information to the media.

Disclosures to First Responders

Q: May a health department provide the name and residential address/location of each positive COVID-19 case to first responders to protect their health?

A: At this time, there is no clear answer to the question.

A health department might use the following framework to evaluate how to proceed. Can I? Must I? Should I?

With respect to “Can I?” the question is whether there is legal authority to disclose this information. While it is likely there is legal authority to disclose this information to first responders, as is outlined in the FAQ immediately below, must the health officer warn first responders of the COVID-19 status for all individuals in the community who have tested positive? Usually not, because the health officer has significant discretion in determining how to protect the public and prevent and control the spread of disease.

The health officer might then analyze “Should I?” This decision is based on professional judgment with input from team members with subject matter expertise. The health officer will weigh the competing interests – balancing the individual’s interest in privacy against protecting EMS employees, the health care system, and the general public.

For a robust discussion of these considerations, along with guidance around the decision-making process, please see this resource. The resource is also important for addressing the issues discussed in the FAQs immediately below.

Q: How may health departments share patient specific COVID-19 information with first responders that both provides needed information and respects individual privacy?

A: With respect to fully HIPAA covered health departments, OCR released guidance on 3.25.20 detailing legally permissible disclosures to law enforcement, paramedics, and other first responders:

  • When the disclosure is needed to provide treatment, such as when emergency medical transport personnel will need to provide treatment to an individual with COVID-19 while transporting that person to a hospital.
  • When the disclosure is necessary because first responders may be at risk of infection, as authorized by state law. An example is where a county health department, in accordance with state law, discloses identifiable COVID-19 information to a police officer or others to prevent or control the spread of COVID-19.
  • When the disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. For example, a health department may share PHI about individuals who have tested positive for COVID-19 to first responders if the health department believes in good faith that it is necessary to prevent or minimize the threat of imminent exposure in discharging their duties. OCR’s recent guidance states that health care professionals must follow professional ethical standards and state law in making good faith determinations.

OCR offers a best practice for health departments sharing information with first responders when they are at risk of infection. This approach balances individual privacy with protecting the health and safety of first responders from infectious disease. If authorized by other law, such as state law, OCR indicates that a covered entity, such as a fully covered health department, could provide a list of names and addresses of all individuals who have tested positive or received treatment for COVID-19 to an EMS dispatch. On a per call basis, EMS dispatch would use the information on the list to inform the EMS personnel who are responding to the particular call so that they can use personal protective equipment or take extra precautions.

OCR’s guidance provides limitations, conditions and prerequisite for each of these disclosures, as well as legal citations.

Further, generally all health departments must comply with state law and other federal law regarding confidentiality of information. State confidentiality law may provide for the confidentiality of reports, records, and data pertaining to testing, care, treatment, reporting and research associated with communicable diseases and serious communicable diseases or infections. Relevant law and policy should be consulted.

Q: Is it appropriate for public health to request consent from asymptomatic medium risk travelers to provide their name and residential address/location to emergency responders (EMS) in order to protect the health of EMS personnel?

A: At this time, there is no clear answer to the question.

A health department might use the following framework to evaluate how to proceed. Can I? Must I? Should I?

With regard to “Can I?” In other words, does the health officer have the legal authority to disclose this information? Most likely yes, as the disclosure would occur with patient authorization. If HIPAA applies to the health department and the health department obtains a valid signed patient authorization, HIPAA permits disclosure. 45 CFR § 164.508. Whether or not HIPAA applies, states may have their own requirements that apply to disclosure by a local health department identifying an individual who has or is being monitored for potential development of a communicable disease. State law with respect to consent requirements should be evaluated.

With regard to “Must I?” Usually not, while the health officer must protect the public and prevent and control the spread of disease, the health officer has a great deal of discretion in determining how to do this.

With regard to “Should I?” This is where most public health decision-making lies. Most decisions are discretionary, based on professional judgement with input from team members with subject matter expertise, if indicated. Here, a health officer will need to weigh competing interests – balancing the individual’s interest in privacy against protecting EMS employees, the health care system, and the general public. Where public health requests a patient consider consenting to the disclosure of her information and a patient signs the HIPAA patient authorization and possibly a state required consent form, the patient is given the opportunity to make the decision for herself.

For guidance around the decision-making process, please see this resource.

Disclosures to Law Enforcement

Q: Under HIPAA, in the absence of a court-ordered warrant or a subpoena, or summons issued by a judicial officer, what information about a positive COVID-19 case can a public health department share with law enforcement for the purpose in assisting with enforcing social distancing measures?

A: HIPAA provides several options for sharing PHI with law enforcement without patient authorization:

  • To the extent that disclosure is required by other law, such as state law. 45 CFR § 164.512 (a).
  • To persons at risk of contracting or spreading a disease or condition if the health department is authorized by law to notify such person (e.g., law enforcement) as necessary in the conduct of a public health intervention or investigation. 45 CFR 164.512(b)(1)(iv).
  • To prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. 45 CFR 164.512(j). Health departments may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient authorization. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety. 45 CFR 164.512(j).

Disclosures in Judicial and Administrative Proceedings

Q: If the health department receives an order from a court or administrative tribunal requesting patient identifiable COVID-19 information, may it share the requested PHI with the court or administrative tribunal?

A: For those health departments that are fully covered by HIPAA, law allows a health department to respond to a court or administrative tribunal’s order, but only to the extent as specified in the order. Only the minimum necessary PHI may be disclosed. 45 CFR § 164.512(e)(1)(i).

All health departments must comply with state law and other federal law regarding confidentiality of information. State confidentiality law may provide for the confidentiality of reports, records, and data pertaining to testing, care, treatment, reporting and research associated with communicable diseases and serious communicable diseases or infections. Relevant law should be consulted.

Q: If the health department receives a subpoena, discovery request or other lawful process requesting patient identifiable COVID-19 information that is unaccompanied by an order, is disclosure is permissible?

A: If a fully HIPAA covered health department receives a subpoena, discovery request or other lawful process that is unaccompanied by an order, disclosure is permissible if the health department receives “satisfactory assurances” from the party seeking the information that reasonable efforts have been made to put the subject individual on notice of the request or that reasonable efforts have been made by the health department to secure a HIPAA compliant qualified protective order. Only the minimum necessary PHI may be disclosed. 45 CFR § 164.512(e)(1)(i).

As above, all health departments must comply with state law and other federal law regarding confidentiality of information. State confidentiality law may provide for the confidentiality of reports, records, and data pertaining to testing, care, treatment, reporting and research associated with communicable diseases and serious communicable diseases or infections. Relevant law should be consulted.

Disclosures in Response to a Freedom of Information Act Request

Q: If a health department receives a request for personally identifiable COVID-19 information under the applicable state Freedom of Information Act or other open records law, how should it respond?

A: Health departments must comply with both applicable open records law as well as state and federal confidentiality and privacy law as they respond to requests for personally identifiable COVID-19 information. The Reporters Committee for Freedom of the Press provides an Open Government Guide which offers a compendium of each state’s open records laws.

For those health departments that are fully covered by HIPAA, they may only release PHI that is required to be released by applicable state public records law. 45 CFR 164.512(a). For more information, please see OCR guidance.

The Network for Public Health Law provides information and education about laws related to the public’s health. We do not provide legal representation or provide advice on a particular course of action.

Share